Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

Europol knocks RagnarLocker offline in second major ransomware bust this year

Group will be remembered as staunch negotiator and a bullier of critical infrastructure orgs

Connor Jones Thu 19 Oct 2023  //  16:30 UTC

Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown.

Among the agencies involved are Europol's European Cybercrime Centre (EC3), the US's Federal Bureau of Investigation (FBI), and Germany's Bundeskriminalamt (BKA), among many others.

The takedown follows a concerted effort from law enforcement in recent years to shutter ransomware groups as their success continues to exceed previous records.

In January this year, the FBI led the way in taking down the Hive group, handing out decryption keys to more than 300 victims. The Bureau calculated the potential savings in ransom fees to be around $130 million.

At the time, FBI director Christopher Wray said only about 40 percent of Hive's victims contacted the FBI about the incident. 

A known tactic of RagnarLocker is to dissuade victims from contacting domestic law enforcement, a fact that makes the latest bust extra special, according to Jake Moore, global cybersecurity advisor at ESET.

"Any takedown by Europol is both significant and impressive but this seems to have extra kudos due to its Russian origin and it reflects the power of trying to suppress law enforcement help," he told The Register.

"In the past, RagnarLocker has warned their victims not to contact the police or FBI concerning their ransoms demands or face the threat of having their data published. Therefore, this takedown will come as an extra blow to the ransomware group who clearly have a bone of contention with the authorities."

Asked about the takedown, Europol declined to comment any further, other than that it's "part of an ongoing action against this ransomware group." More details are expected to be released via official channels tomorrow.

What is RagnarLocker?

Emerging in late 2019 or early 2020, depending on which security company's reports you read, the location of RagnarLocker has never been conclusively proven. 

Many different European and Asian countries have been linked to the gang that uses its own eponymous ransomware payload, though Russia and Ukraine are among those most often floated.

The FBI was prompted to release an advisory in March 2022 alerting organizations to its typical mission objectives – targeting critical infrastructure.

It said at the time that 52 critical infrastructure organizations had been successfully targeted by the group. This included victims in the manufacturing and energy sectors, as well as finance, government, and IT. 

It came just a year after one of the largest attacks on critical infrastructure in US history swept headlines, at a time where attacks on critical infrastructure were still certainly high up on the list of the US' concerns.

DarkSide's attack on Colonial Pipeline caused major disruption to the East Coast of the US, and prompted the Biden administration to issue Executive Order 14028: Improving the Nation's Cybersecurity in response.

RagnarLocker are also well-known for adopting a double extortion model and was notoriously staunch on its approach to negotiations.

Most modern ransomware groups are open to negotiating fees, as long as the negotiations don't hurt their feelings. RagnarLocker was known for its take-it-or-leave-it stance on issuing ransom demands. 

The gang was previously considered one of the most dangerous in operation, though it hasn't been as active in 2023.

It was omitted from Microsoft's latest Digital Defense Report, which ranked the top ransomware groups in operation currently.

The only major attack claimed by RagnarLocker in the past year was on an Isareli hospital – an incident that saw it leak 400GB of data of an alleged total 1TB stolen, part of its telltale double extortion tactic. Well… former tactic, now.  ®
Send us news
Post a comment

Guess what happens when ransomware fiends find 'insurance' 'policy' in your files

It involves a number close to three or six depending on the pickle you're in

US sensor giant Sensata admits ransomware derailed ops

Props for the transparency though

Crimelords at Hunters International tell lackeys ransomware too 'risky'

Bosses say theft now the name of the game with a shift in tactics, apparent branding

Heterogeneous stacks, ransomware, and ITaaS: A DR nightmare

Recovery's never been harder in today's tangled, outsourced infrastructure

Ransomware crews add 'EDR killers' to their arsenal – and some aren't even malware

Crims are disabling security tools early in attacks, Talos says

Security shop pwns ransomware gang, passes insider info to authorities

Researchers say 'proactive' approach is needed to combat global cybercrime

UK's first permanent facial recognition cameras installed in South London

As if living in Croydon wasn't bad enough

Ransomwared NHS software supplier nabs £3M discount from ICO for good behavior

Data stolen included checklist for medics on how to get into vulnerable people's homes

VanHelsing ransomware emerges to put a stake through your Windows heart

There's only one rule – don't attack Russia, duh

Cyber-crew claims it cracked American cableco, releases terrible music video to prove it

WOW! DID! SOMEONE! REALLY! STEAL! DATA! ON! 400K! USERS?!

Extortion crew threatened to inform Edward Snowden (?!) if victim didn't pay up

Don't laugh. This kind of warning shows crims are getting desperate

New kids on the ransomware block channel Lockbit to raid Fortinet firewalls

It's March already and you haven't patched?